Skip to content

madhuakula/docker-security-checker

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
policy
policy
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

docker-security-checker

This repository contains OPA Rego policies for Dockerfile Security checks using Conftest

Sample rego policy for using COPY instead of ADD in Dockerfile

deny[msg] {
    input[i].Cmd == "add"
    val := concat(" ", input[i].Value)
    msg = sprintf("Use COPY instead of ADD: %s", [val])
}

Running the conftest with security policies

  • Run the following command to test security policies against the Dockerfile
conftest test Dockerfile
  • Now you can see the below example output
WARN - Dockerfile - Do not use latest tag with image: ["ubuntu:latest"]
FAIL - Dockerfile - Suspicious ENV key found: ["SECRET", "AKIGG23244GN2344GHG"]
FAIL - Dockerfile - Use COPY instead of ADD: app /app
FAIL - Dockerfile - Use COPY instead of ADD: code /tmp/code

5 tests, 1 passed, 1 warning, 3 failures

Try it out yourself

  • I have created this scenario in katacoda playground to learn and try out yourself

Katacoda Playground for docker-security-checker

Contribution

  • You can add more policies at policy directory with more information by adding comments

About

Dockerfile Security Checker using OPA Rego policies with Conftest

blog.madhuakula.com/dockerfile-security-checks-using-opa-rego-policies-with-conftest-32ab2316172f

Topics

docker dockerfile security opa infosec rego conftest opa-rego-policies

Resources

Readme

License

MIT license
Activity

Stars

59 stars

Watchers

4 watching

Forks

27 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages